There are numerous tools available when checking the security of the WordPress Content Management System (CMS). In the rest of the article we’ll mention the WPScan tool, which does a great job of scanning the WordPress installation and its plugins for security vulnerabilities.

2. WPScan

WPScan is a WordPress security scanner which can identify known security weaknesses in WordPress CMS systems. WPScan is written in Ruby and requires some dependencies, namely typhoeus, xml-simple, mime-types, nokogiri and json. To install dependencies we need to type in the following:

–wp-plugins-dir <wp plugins dir> Same thing than –wp-content-dir but for the plugins directory. If not supplied, WPScan will use wp-content-dir/plugins. Subdirectories are allowed

–proxy Supply a proxy in the format host:port (will override the one from conf/browser.conf.json)

–wordlist | -w <wordlist> Supply a wordlist for the password bruter and do the brute.

–threads | -t <number of threads> The number of threads to use when multi-threading requests. (will override the value from conf/browser.conf.json)

–username | -U <username> Only brute force the supplied username.

–help | -h This help screen.

–verbose | -v Verbose output.

I guess it’s best to first run the –update command to make sure that we’re using the latest version of WPScan:

# ruby wpscan.rb –update

2.1. WPScan features

In this subsection we’ll describe the features of WPScan and the appropriate commands we need to run to invoke the desired functionality.

WordPress Confirmation

This is the default behavior that is automatically being checked whenever we run the wpscan.rb script. If the target website isn’t running WordPress there’s no point to actually run a number of tests against it. To disable this feature we can use the –force option when running the wpscan.rb script, like this:

We can see that the WPScan found 10 users: root, keatron, jack, ddalasta, Nick Valenteen, Dan Hestad, Tim Farley, kenneth, dinesh-mistry and Jeremy Martin, and tried to login with the password admin we previously saved in the filename passwords.txt. This file is being used as an input file that specifies the passwords to be checked. We can also see that the scan was finished before a weak password was detected, which means the WordPress installation is secure as far as weak passwords are concerned.

Version enumeration

The command used to enumerate the version number of a WordPress installation is:

We can see that WPScan actually found 5 different plugins, namely upprev-nytimes-style-next-post-jquery-animated-fly-in-button, syntaxhighlighter, searchterms-tagging-2, wp-super-cache and redirection.

Vulnerability enumeration

Plugin vulnerability enumeration

2.2. The Timthumb Vulnerability

The WPScan also has an option to scan the entire wp-content directory for instances of any outdated and insecure version of the timthumb.php script, which enables us to load images from a predefined set of remote websites for resizing and serving. It provides a caching mechanism, so that WordPress doesn’t have to constantly resize and reserve images. The cache directory is accessible by normal visitors from the Internet. The timthumb.php simply gets a remote file and places it in a root directory accessible to the word wide web. An attacker can persuade the WordPress CMS system to download a PHP shell into the DocumentRoot and access it via some web browser. This effectively gives an attacker a web shell, which he can use to cause further damage to the system.

To check whether the timthumb.php in the WordPress installation is vulnerable we need to input the following command:

We can see that the WPScan didn’t find any vulnerable timthumb files, which makes the WordPress installation secure.

There is also a WordPress plugin called Timthumb Vulnerability Scanner accessible at Timthumb which can be used to basically do the same thing.

2.3. Exploit Scanner

Another WordPress plugin called Exploit Scanner is available to download and install. This plugin searches the files and database of our WordPress installation for signs that may indicate that the WordPress was hacked by malicious attackers.

2.4. BlindElephant

BlindElephant is a program that can fingerprint CMS systems. It can detect the CMS type and version and it can fingerprint plugins. The supported CMS systems are: Drupal, Joomla, Liferay, Mediawiki, Moodle, Movabletype, Oscommerce, Phpbb, Phpmyadmin, Phpnuke, Spip, Tikiwiki, Twiki and WordPress. We can see that WordPress is among the supported CMS systems. The command used to fingerprint the WordPress CMS system is the following:

# python BlindElephant.py resources.infosecinstitute.com wordpress

2.5. CMS Explorer

CMS Explorer is basically the same as BlindElephant, but it also supports a feature that is able to search for vulnerabilities on the OSVDB website. CMS Explorer supports only the following CMS systems: Drupal, WordPress, Joomla and Mambo. The command used to fingerprint the WordPress CMS system is the following:

We’ve looked at WordPress enumeration and vulnerability scanning techniques. We’ve also seen that the WPScan tool can be used to find most vulnerabilities in an already running WordPress installation. We need to make sure that we’re running the tool on a constant basis just to be sure that our WordPress installation is still secure.

Dejan Lukan is a security researcher for InfoSec Institute and penetration tester from Slovenia. He is very interested in finding new bugs in real world software products with source code analysis, fuzzing and reverse engineering. He also has a great passion for developing his own simple scripts for security related problems and learning about new hacking techniques. He knows a great deal about programming languages, as he can write in couple of dozen of them. His passion is also Antivirus bypassing techniques, malware research and operating systems, mainly Linux, Windows and BSD. He also has his own blog available here: http://www.proteansec.com/.

About InfoSec

InfoSec Institute is the best source for high quality information security training. We have been training Information Security and IT Professionals since 1998 with a diverse lineup of relevant training courses. In the past 16 years, over 50,000 individuals have trusted InfoSec Institute for their professional development needs!

Join our newsletter

File download

First Name

Last Name

Work Phone Number

Work Email Address

Job Title

How will you fund your training?

Why Take This Training?

What is your timeline for training?

InfoSec institute respects your privacy and will never use your personal information for anything other than to notify you of your requested course pricing. We will never sell your information to third parties. You will not be spammed.

Comments

What is Skillset?

Skillset

Practice tests & assessments.

Practice for certification success with the Skillset library of over 100,000 practice test questions. We analyze your responses and can determine when you are ready to sit for the test. Along your journey to exam readiness, we will:

1. Determine which required skills your knowledge is sufficient
2. Which required skills you need to work on
3. Recommend specific skills to practice on next
4. Track your progress towards a certification exam